----- Original Message ----- From: "Stephan Lagerholm" <[email protected]> To: "George Barwood" <[email protected]>; <[email protected]> Sent: Wednesday, June 30, 2010 2:25 PM Subject: RE: [DNSOP] Fwd: New Version Notificationfordraft-mekking-dnsop-auto-cpsync-00
> I would encourage some type of notification mechanism so that the parent > doesn't have to poll blindly. Yes, this could be useful. I'm not sure it is essential, or what mechanism would be best. I haven't looked to see whether NOTIFY could be used, or possibly a new opcode. > Also, why not use a DNSKEY with another > flag to announce the availability of a new key instead of a new RR? > Similar to what RFC5011 is doing for a revoked key. It is probably possible to use the DNSKEY RR with flags. However I think using the CDS record has several advantages ( that I should possibly incorporate into the draft ). (1) It allows the DS to be published without revealing the public key. This means an adversary cannot start cryptanalysis at this point. (2) The size of the DNSKEY RRset does not vary while the rollover is being performed. Given the transport constraints, this seems a significant advantage. (3) Finally, it may be useful in future to be able to publish arbitrary DS records, which may not necessarily correspond to any DNSKEY. An example of this can be seen in this draft http://tools.ietf.org/html/draft-barwood-dnsext-dns-transport-18#section-3.12 where a special DS record is used to encode link-level transport information, allowing DNS traffic to be encrypted. Thanks for your comments, George _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
